[英]Can $_SERVER variables in PHP be changed by the user? If so how?
I need to use $_SERVER variables like SCRIPT_FILENAME for a mvc framework I'm writing. 我需要为我正在编写的mvc框架使用$ _SERVER变量,例如SCRIPT_FILENAME。 I'm wondering if a user can change things like that.
我想知道用户是否可以更改类似的内容。 Say the user requests index.php, can they fake the SCRIPT_FILENAME variable and rename it to something else that is being sent over?
假设用户请求index.php,他们可以伪造SCRIPT_FILENAME变量并将其重命名为正在发送的其他内容吗?
Some $_SERVER
values are safe, others are not. 一些
$_SERVER
值是安全的,而其他则不是。 The unsafe ones mostly start with HTTP_
and are the HTTP headers sent by the user's browser. 不安全的大多数以
HTTP_
开头,并且是用户浏览器发送的HTTP标头。
Yes, it is possible. 对的,这是可能的。
See this post: How to bypass the REFERER security check . 请参阅这篇文章:如何绕过REFERER安全检查 。
Assuming that the user doesn't have access to some way that re-directs the execution of the script through another script, or access to the server, I'd say no. 假设用户没有某种方式可以通过另一个脚本来重定向脚本的执行,也无法访问服务器,那么我不会。 Also, if you're really worried about that, you can use
__FILE__
which doesn't depend on user data. 另外,如果您真的很担心,可以使用不依赖用户数据的
__FILE__
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.